This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected website that may include sensitive information.
BackupBuddy allows users to backup their entire WordPress installation from within the dashboard, including theme files, pages, posts, widgets, users, and media files, among others.
The plugin has an estimated 140,000 active installs, with the vulnerability (CVE-2022-31474, CVSS score: 7.5) affecting versions 126.96.36.199 to 188.8.131.52. It has been resolved in version 8.7.5 released on September 2, 2022.
The problem stems from a function called “Local Directory Copy” which is designed to store a local copy of backups. According to Wordfence, the vulnerability is the result of an insecure implementation that allows an unauthenticated threat actor to download any arbitrary file on the server.
Additional details about the vulnerability have been withheld due to the abuse taking place in the wild and its ease of exploitation.
“This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation,” the plugin’s developer, iThemes, said. “This may include the wp-config.php of WordPress and, depending on your server setup, sensitive files like /etc/passwd.”
Wordfence notes that targeting CVE-2022-31474 began on August 26, 2022, and it blocked nearly five million attacks during the intervening period. Most of the intrusions tried to read the files below –
/etc/passwd /wp-config.php .my.cnf .accesshash
BackupBuddy plugin users should upgrade to the latest version. If the user determines that they may have been compromised, you should reset the database password, change the WordPress Salts, and rotate the API keys stored in wp-config.php.